Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
185s -
max time network
198s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
01/05/2023, 19:37
Static task
static1
Behavioral task
behavioral1
Sample
fee0a609f1554529890f1c56c3aa61734e8e36e69bbf1afa749ec7e3b90e5f96.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
fee0a609f1554529890f1c56c3aa61734e8e36e69bbf1afa749ec7e3b90e5f96.exe
Resource
win10v2004-20230220-en
General
-
Target
fee0a609f1554529890f1c56c3aa61734e8e36e69bbf1afa749ec7e3b90e5f96.exe
-
Size
747KB
-
MD5
37888df004aa3046b1388383dd80adf1
-
SHA1
531177ae8a01b4e6e14f89ec045d44076081dea5
-
SHA256
fee0a609f1554529890f1c56c3aa61734e8e36e69bbf1afa749ec7e3b90e5f96
-
SHA512
a05c00dec7c753397e540c4f3a4cca4c74a30c9295cee2070bee8920800d4302cb83a2933cbe42c101fcd0df8ca4103568918a9a61cf39f284a7afbcced1b827
-
SSDEEP
12288:Iy90sqaJpsFCf9E/fH4ir30LGYzs4Bde7k+HZC1XbN4wJnuyG5tyNoC:IyNoYu//Hr2Zs4WpHZCBbNZJuyGnW
Malware Config
Signatures
-
Detects Redline Stealer samples 1 IoCs
This rule detects the presence of Redline Stealer samples based on their unique strings.
resource yara_rule behavioral2/memory/3292-995-0x0000000007940000-0x0000000007F58000-memory.dmp redline_stealer -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 25594768.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 25594768.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 25594768.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection 25594768.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 25594768.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 25594768.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 3 IoCs
pid Process 1616 un777065.exe 4768 25594768.exe 3292 rk938003.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 25594768.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 25594768.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" fee0a609f1554529890f1c56c3aa61734e8e36e69bbf1afa749ec7e3b90e5f96.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce un777065.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un777065.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce fee0a609f1554529890f1c56c3aa61734e8e36e69bbf1afa749ec7e3b90e5f96.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4768 25594768.exe 4768 25594768.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4768 25594768.exe Token: SeDebugPrivilege 3292 rk938003.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 660 wrote to memory of 1616 660 fee0a609f1554529890f1c56c3aa61734e8e36e69bbf1afa749ec7e3b90e5f96.exe 81 PID 660 wrote to memory of 1616 660 fee0a609f1554529890f1c56c3aa61734e8e36e69bbf1afa749ec7e3b90e5f96.exe 81 PID 660 wrote to memory of 1616 660 fee0a609f1554529890f1c56c3aa61734e8e36e69bbf1afa749ec7e3b90e5f96.exe 81 PID 1616 wrote to memory of 4768 1616 un777065.exe 82 PID 1616 wrote to memory of 4768 1616 un777065.exe 82 PID 1616 wrote to memory of 4768 1616 un777065.exe 82 PID 1616 wrote to memory of 3292 1616 un777065.exe 83 PID 1616 wrote to memory of 3292 1616 un777065.exe 83 PID 1616 wrote to memory of 3292 1616 un777065.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\fee0a609f1554529890f1c56c3aa61734e8e36e69bbf1afa749ec7e3b90e5f96.exe"C:\Users\Admin\AppData\Local\Temp\fee0a609f1554529890f1c56c3aa61734e8e36e69bbf1afa749ec7e3b90e5f96.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:660 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un777065.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un777065.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1616 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\25594768.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\25594768.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4768
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk938003.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk938003.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3292
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
593KB
MD5e917f1d5245cbe7b6a95282f4013f7b7
SHA1c5de960d37e2a9c6426eef72ef0484a210a9fb20
SHA256ae58d6a2cac88313c3235194cadb02b4b32766effbf214cd3bd62e38b2946ce0
SHA5121da045945ed6db620e3a04b3e9e05e537f04b70574ad538b02cafd563cf47bf70444ed8517a39eb25b25dedde3c77de9a5462bc21667c239728ac565aaae2f78
-
Filesize
593KB
MD5e917f1d5245cbe7b6a95282f4013f7b7
SHA1c5de960d37e2a9c6426eef72ef0484a210a9fb20
SHA256ae58d6a2cac88313c3235194cadb02b4b32766effbf214cd3bd62e38b2946ce0
SHA5121da045945ed6db620e3a04b3e9e05e537f04b70574ad538b02cafd563cf47bf70444ed8517a39eb25b25dedde3c77de9a5462bc21667c239728ac565aaae2f78
-
Filesize
377KB
MD5f3e2f9f6609858f2b4ae4cd9015b71b9
SHA155e237e3b1163ae83260c71e625ca49e43d6f308
SHA25601c15148cb46f0bcd6a9cfe5877fcfecc198707e79c1a897da81e5c194ca7284
SHA5124d31ed5d147c94bab7963c71d45293dda8cb2df9a01db68815aea1b0e5c6804b057ebe4ea4562570538ad7ea87b3f73f7e115289291ac45b0c9a7f9b33f2a264
-
Filesize
377KB
MD5f3e2f9f6609858f2b4ae4cd9015b71b9
SHA155e237e3b1163ae83260c71e625ca49e43d6f308
SHA25601c15148cb46f0bcd6a9cfe5877fcfecc198707e79c1a897da81e5c194ca7284
SHA5124d31ed5d147c94bab7963c71d45293dda8cb2df9a01db68815aea1b0e5c6804b057ebe4ea4562570538ad7ea87b3f73f7e115289291ac45b0c9a7f9b33f2a264
-
Filesize
459KB
MD5960416951edc7cfa6a71a8763f926896
SHA1a7932f375439309f2a7b4a2c6062b82a3a398dc1
SHA2567c694c156db07b95ef4b411ca609b82a8bc9af4a02b5d32750fa67bb637c5daa
SHA512f6cca0bb0111846120464af223774269a27e2e24019d95d0261302066b51910776cd2d28b05b0096a5348cb2f46182b79750c386b35dd3ff52f3c1af77119976
-
Filesize
459KB
MD5960416951edc7cfa6a71a8763f926896
SHA1a7932f375439309f2a7b4a2c6062b82a3a398dc1
SHA2567c694c156db07b95ef4b411ca609b82a8bc9af4a02b5d32750fa67bb637c5daa
SHA512f6cca0bb0111846120464af223774269a27e2e24019d95d0261302066b51910776cd2d28b05b0096a5348cb2f46182b79750c386b35dd3ff52f3c1af77119976